Integrated circuit device, information processing device, information recording device memory management method, mobile terminal device, semiconductor integrated circuit device, and communication method using mobile terminal device

ABSTRACT

A memory region on an IC card has a hierarchical structure. Each application allocated on the memory region is registered in a directory, and the memory region is managed in directory units. A personal identification code is set for each application and directory, and the access right is controlled in application units or directory units. If a mobile terminal is lost, the right to access each application in the IC card automatically disappears. Therefore, the right to access each application allocated to the memory region on the IC card is efficiently controlled.

TECHNICAL FIELD

[0001] The present invention relates to information storage media withmemory regions, IC chips with memory regions, information processingapparatuses having the IC chips with the memory regions, and memorymanagement methods for the information storage media, and particularlyrelates to an information storage medium for use by being placed in aninformation processing apparatus such as a cellular phone or a PDA(Personal Digital Assistant), an IC chip with a memory region, aninformation processing apparatus having the IC chip with the memoryregion, and a memory management method for the information storagemedium.

[0002] More particularly, the present invention relates to aninformation storage medium in which one or more applications areallocated to a memory region, an IC chip with a memory region, aninformation processing apparatus having the IC chip with the memoryregion, and a memory management method for the information storagemedium, and more particularly relates to an information storage mediumfor controlling the right to access each application allocated to amemory region, an IC chip with a memory region, an informationprocessing apparatus having the IC chip with the memory region, and amemory management method for the information storage medium.

[0003] The present invention also relates to a mobile terminal having anIC chip placed therein, which is driven by receiving power usingwireless communication with an external apparatus, and to an IC card foruse in conjunction with the mobile terminal, and more particularlyrelates to a mobile terminal having an IC chip placed therein, which isdriven by receiving power using wireless communication with an externalapparatus and which has a memory function, a control method therefor,and an IC card with a memory function.

[0004] More particularly, the present invention relates to a mobileterminal in which one or more applications are allocated to a memoryregion on an IC chip, a control method therefor, and an IC card in whichone or more applications are allocated to a memory region, and moreparticularly relates to a mobile terminal for controlling the right toaccess each application allocated to a memory region on an IC chip inapplication units, a control method therefor, and an IC card forcontrolling the right to access each application allocated to a memoryregion in application units.

BACKGROUND ART

[0005] Various apparatuses using a personal identification number orpassword for identification and authentication have been devised and putinto practical use. (In general, the term “personal identificationnumber” refers to a character string represented by a combination ofnumerals from 0 to 9, and the term “password” refers to a characterstring represented using numerals and general characters such asalphabet. In this specification, a set of a personal identificationnumber and password may also be referred to as a “personalidentification code (PIC)”.)

[0006] For example, when a user wants to use an automatic teller machine(ATM) card at a bank or other financial institution, the user isprompted by a cash dispenser or the like to enter a personalidentification number or password as means of identification. After itis confirmed that the user has entered the correct personalidentification number or password, the user can draw money from the cashdispenser.

[0007] Other applications for the personal identification code includeentering a personal identification code at a safety box placed at anaccommodation facility such as a hotel, entering a password when logginginto a computer, and concealing information on an information terminal.

[0008] A storage medium such as a magnetic stripe on a known ATM cardfor a bank has a storage region for use solely in that bank. Enteringthe above-described personal identification number or password merelyaccesses the single storage region. The user is thus required to preparecards for individual objectives or purposes and separately use theplural cards.

[0009] Recently, contactless IC cards have become widely used. Forexample, an IC card reader/writer placed at a cash dispenser, theentrance to a concert hall, or the ticket gate of a station accesses anIC card held thereabove in a contactless manner. The user inputs apersonal identification number or password to the IC card reader/writer,and the input personal identification number or password is checkedagainst a personal identification number or password stored on the ICcard, thus performing identification or authentication between the ICcard and the IC card reader/writer. When the identification orauthentication succeeded, for example, the use of an application storedin the IC card is permitted. One possible type of application stored inthe IC card is value information, such as electronic money or anelectronic ticket.

[0010] Due to the improvement of miniaturization technology, IC cardswith relatively high-capacity storage spaces have appeared and beenwidely used recently. Since known ATM cards only have a single storageregion, that is, a single application, the user is required to carry aplurality of cards in accordance with objectives or purposes. Incontrast, an IC card with a high-capacity memory stores a plurality ofapplications at the same time. A single IC card thus serves a pluralityof purposes. For example, a single IC card stores two or moreapplications, such as electronic money for conducting electronictransactions and an electronic ticket for entering a specific concerthall. This single IC card serves various purposes.

[0011] When such an IC card with a high-capacity memory function (or asemiconductor IC chip with a data carrier function and/or anauthentication function) is placed on a mobile terminal such as acellular phone, a user having the mobile terminal is allowed to exchangeelectronic value information with the outside world, such as conductingan electronic transaction.

[0012] Since known ATM cards have only a single purpose (as describedabove), a magnetic stripe on each ATM card has a single personalidentification number or password to manage the security of the entirecard.

[0013] In contrast, IC cards with memory functions capable of storing aplurality of applications and mobile terminals having such IC cards (orIC chips) placed therein are required to control the right to accesseach application because, when a single personal identification code isused to open access to all applications on the IC card, the security incase of loss or theft of the IC card is greatly degraded.

[0014] As a memory region placed on the IC card expands due to progressin the manufacturing technology, more numerous applications areallocated to the memory region on the IC card. When the applications aresimply allocated to the memory region, the application arrangementbecomes complicated for the user, and the user has difficulty inclassifying and organizing the applications on the memory region.

[0015] In a case in which the right to access the applications iscontrolled by individual personal identification codes, when the userwants to use a plurality of correlated applications in a series oftransactions, the user is required to sequentially input personalidentification codes in the same transactions. As a result, theoperability of the apparatus is greatly degraded.

DISCLOSURE OF INVENTION

[0016] It is an object of the present invention to provide an improvedinformation storage medium with a memory region, an IC chip with amemory region, an information processing apparatus having the IC chipwith the memory region, and a memory management method for theinformation storage medium.

[0017] It is another object of the present invention to provide animproved information storage medium for use by being placed on aninformation processing apparatus such as a cellular phone or a PDA(Personal Digital Assistant), an IC chip with a memory region, aninformation processing apparatus having the IC chip with the memoryregion, and a memory management method for the information storagemedium.

[0018] It is yet another object of the present invention to provide animproved information storage medium in which one or more applicationsare allocated to a memory region, an IC chip with a memory region, aninformation processing apparatus having the IC chip with the memoryregion, and a memory management method for the information storagemedium.

[0019] It is a further object of the present invention to provide animproved information storage medium for controlling the right to accesseach application allocated to a memory region, an IC chip with a memoryregion, an information processing apparatus having the IC chip with thememory region, and a memory management method for the informationstorage medium.

[0020] It is another object of the present invention to provide animproved information storage medium for efficiently managing a pluralityof applications allocated to a memory region, an IC chip with a memoryregion, an information processing apparatus having the IC chip with thememory region, and a memory management method for the informationstorage medium.

[0021] In view of the foregoing objects, according to a first aspect ofthe present invention, an integrated circuit device or a memorymanagement method for an information storage device is providedincluding memory allocating means or step for allocating a memory regionto each application;

[0022] personal identification code setting means or step for setting,for each application allocated to the memory region, a personalidentification code for controlling the right to access eachapplication; and

[0023] accessibility/inaccessibility managing means or step for managingeach application allocated to the memory region to beaccessible/inaccessible,

[0024] wherein the accessibility/inaccessibility managing means or stepsets each application for which the personal identification code is setto be inaccessible in a default setting, and, in response to the factthat the personal identification code input from a user matches the setpersonal identification code, the accessibility/inaccessibility managingmeans or step sets the corresponding application to be accessible.

[0025] The integrated circuit device according to the first aspect ofthe present invention is provided in the form of, for example, an ICchip. A cartridge which has the IC chip with an antenna and which isformed in the size of a credit card is generally referred to as an “ICcard”. The IC chip is used by being embedded in a mobile terminal suchas a cellular phone or a PDA or in other information processingapparatuses. The IC card may be used by being inserted into aninformation processing apparatus. Applications for the IC chip or ICcard include functions related to value information, such as prepaidelectronic money or an electronic ticket. In the following description,the functions provided by the IC chip or IC card may also be referred to“applications”.

[0026] By allocating the memory region to each application in ahierarchical manner using directories, the memory allocating means orstep manages the memory space in the IC card arranged as a hierarchicalstructure. Accordingly, correlated applications, such as a plurality ofapplications used in a series of transactions, are stored in the samedirectory to enable the user to efficiently classify and organize theapplications.

[0027] When an external apparatus has a card reader, the externalapparatus can access the IC chip via a wireless interface. The right toaccess the memory region in the IC chip or the like is controlled bymatching of personal identification codes. A personal identificationcode may be input using an information processing apparatus havingembedded therein the IC chip to disengage the lock. Subsequently, awireless link may be established, and access to the memory region may bepermitted. Alternatively, after a wireless link between the IC chip inthe information processing apparatus and the external apparatus isestablished, the access right is controlled on the basis of a personalidentification code input using the external apparatus.

[0028] In such a case, the personal identification code setting means orstep may set, for each application and directory, the personalidentification code for controlling the right to access each applicationand directory. The accessibility/inaccessibility managing means or stepmay set each application and directory for which the personalidentification code is set to be inaccessible in the default setting,and, in response to the fact that the personal identification code inputfrom the user matches the set personal identification code, theaccessibility/inaccessibility managing means or step may set thecorresponding application or directory to be accessible.

[0029] In response to the fact that the personal identification codeinput from the user matches the personal identification code set for oneof the directories, the accessibility/inaccessibility managing means orstep may set all applications and sub-directories under the directory tobe accessible.

[0030] According to the integrated circuit device and the memorymanagement method for the information storage device according to thefirst aspect of the present invention, the memory space has ahierarchical structure. By allocating a directory to each application,the applications are efficiently managed in directory units.

[0031] For example, highly-correlated applications, such as those usedin a series of transactions, are registered in the same directory (andhighly-correlated sub-directories are registered in the same directory).Accordingly, the application and directory arrangement in the memoryregion is well organized, and the user can efficiently classify andorganize the applications.

[0032] According to the integrated circuit device and the memorymanagement method for the information storage device according to thefirst aspect of the present invention, in addition to setting thepersonal identification code for each application, the personalidentification code can be set for each directory. In addition tocontrolling the access right in application units, the access right canbe efficiently controlled in directory units.

[0033] For example, the user inputs a personal identification codecorresponding to a directory. The input personal identification code ischecked and authenticated, and the user is thus given the right toaccess all applications (and sub-directories) in the directory. Forexample, the user obtains the right to access all applications used in aseries of transactions by inputting a personal identification code forthe corresponding directory once. Access control is thus efficientlyperformed, and the operability of the apparatus is thus improved.

[0034] The integrated circuit device or the memory management method forthe information storage device according to the first aspect of thepresent invention may further include private key setting means or stepfor setting, for each application and directory allocated to the memoryregion, a private key for authentication. In such a case, theaccessibility/inaccessibility managing means or step may set theinaccessible application or directory to be accessible when theinaccessible application or directory is mutually authenticated by apredetermined certificate authority using the private key.

[0035] The integrated circuit device or the memory management method forthe information storage device may further include access denying meansor step for causing each accessible application and directory to beinaccessible in response to cutting off the power to the integratedcircuit device or the information storage device.

[0036] When the IC card is lost or stolen, the user may suffer fromdamage since the applications and directories may be used withoutpermission or fraudulently. According to the first aspect of the presentinvention, access to all applications and directories is automaticallydenied in response to cutting off the power to the IC card. In case ofloss of IC card, the IC card is prevented from being maintained asaccessible and from being used fraudulently by a malicious user.

[0037] The integrated circuit device or the memory management method forthe information storage device may include number-of-input-failurestoring means or step for storing the number of failures of input of thepersonal identification code for each application and directoryallocated to the memory region; andmaximum-permissible-number-of-input-failure setting means for settingthe maximum permissible number of failures of input of the personalidentification code for each application and directory allocated to thememory region. In such a case, the accessibility/inaccessibilitymanaging means or step may set the application or directory in which thenumber of input failures has reached the maximum permissible number ofinputs to be inaccessible.

[0038] The integrated circuit device or the memory management method forthe information storage device may include number-of-input-failureinitializing means or step for clearing the number of input failuresstored in the numberof-input-failure storing means or step by a managermutually authenticated by a predetermined certificate authority.

[0039] According to a second aspect of the present invention, a mobileterminal apparatus is provided including:

[0040] a semiconductor integrated circuit device having a memory region;

[0041] one or more applications allocated to the memory region, whereinthe right to access each application is controlled by a personalidentification code;

[0042] a wireless interface for enabling the semiconductor integratedcircuit device to perform wireless communication with an externalapparatus;

[0043] a wired interface for performing wired communication with thesemiconductor integrated circuit device;

[0044] user input means for inputting, from a user, the personalidentification code and other data;

[0045] checking means for transferring the personal identification codeinput from the user input means via the wired interface to thesemiconductor integrated circuit device and for checking the personalidentification code with a personal identification code for eachapplication allocated to the memory region; and

[0046] access-right control means for giving, as a result of checking bythe checking means, a right to the user to access the application inwhich the personal identification codes match each other.

[0047] The term mobile terminal apparatus here indicates an informationprocessing apparatus, such as a cellular phone or a PDA (PersonalDigital Assistant), which is small and light enough to be carried by theuser. Also, the term semiconductor integrated circuit device indicatesan IC chip with an authentication function for implementing the accessoperation.

[0048] The IC chip placed on the mobile terminal apparatus according tothe second aspect of the present invention includes a wireless interfacefor establishing a wireless link with an external apparatus such as areader/writer and a wired interface for establishing an internalconnection with a controller of the mobile terminal having the IC chip.In response to establishment of a wireless link with the reader/writer,the IC chip can be activated by electromagnetic waves sent from thereader/writer.

[0049] The IC chip placed on the mobile terminal apparatus according tothe second aspect of the present invention includes the memory region.One or more applications are allocated to the memory region. The rightto access each application is controlled by the personal identificationcode such as a personal identification number or password. The termapplication here includes value information, such as electronic money oran electronic ticket.

[0050] When a wireless link with the external apparatus such as thereader/writer is established, a personal identification code input usingthe reader/writer may be input to the IC chip via the wirelessinterface. A personal identification code input from a user input unitsuch as a keyboard of the mobile terminal apparatus may be input to theIC chip via the wired interface. The personal identification code inputvia the wireless interface or the wired interface is checked against thecorrect personal identification code, and the right to access thecorresponding application is given if the personal identification codesmatch each other.

[0051] According to the second aspect of the present invention, apersonal identification code for a desired application is input usingthe mobile terminal apparatus. The mobile terminal is held towards theexternal apparatus such as the reader/writer, and hence the applicationcan be used using the external apparatus (such as conducting anelectronic transaction). Accordingly, the user can input a personalidentification code using the user's mobile terminal the user isfamiliar with, instead of using a user interface of the externalapparatus the user is unfamiliar with, and the input personalidentification code is thus checked. In other words, a personalidentification code may be input using the information processingapparatus having the IC chip embedded therein to disengage the lock.Subsequently, a wireless link may be established with the externalapparatus, thus permitting access to the memory region. Needless to say,after a wireless link between the IC chip in the information processingapparatus and the external apparatus is established, the access rightmay be controlled on the basis of a personal identification code inputusing the external apparatus.

[0052] The access-right control means may permit the external apparatusto access the application for which the access right is given via thewireless interface using wireless communication.

[0053] In response to detecting no electromagnetic waves from theexternal apparatus connected via the wireless interface, theaccess-right control means may determine that a series of transactionsrelated to the application for which the access right is given hasterminated and performs transaction termination processing. As a result,after being used, the IC chip is not maintained in a state in which eachapplication is accessible. For example, when the mobile terminalapparatus is lost or stolen, unauthorized use of the application isprevented. The user is thus prevented from suffering from unauthorizeduse or theft of value information such as electronic money.

[0054] In response to receiving no response within a predeterminedperiod of time in response to a command sent from the IC chip via thewireless interface, the access-right control means may determine that aseries of transactions between the external apparatus and the IC chip,which are connected with each other via the wireless interface, hasterminated normally or abnormally and may perform terminationprocessing. As a result, after the wireless link with the externalapparatus is broken, the IC chip is not maintained in a state in whicheach application is accessible. For example, when the mobile terminalapparatus is lost or stolen, unauthorized use of the application isprevented. The user is thus prevented from suffering from unauthorizeduse or theft of value information such as electronic money.

[0055] The mobile terminal apparatus according to the second aspect ofthe present invention may further include personal identification coderegistering means for registering in advance the personal identificationcode for each application; program activating means; and personalidentification code input means for inputting the personalidentification code for the corresponding application in accordance withthe activated program to the IC chip via the wired interface. In such acase, the user selects a desired program from a menu screen displayed onthe display, and the corresponding program is called to the mobileterminal. In response to the activated program, a personalidentification code for the corresponding application is input to the ICchip via the wired interface, and the right to access the application isthus given. The user can omit the inputting of a personal identificationcode for a desired application, and operability is improved.

[0056] In response to being connected to the external apparatus via thewireless interface and thus receiving power, the IC chip may notify viathe wired interface of the necessity to input the personalidentification code for accessing the memory region on the IC chip. Inresponse to the notification, the mobile terminal having the IC chipdisplays a dialog on a display or emits a beep to prompt the user.Accordingly, the user is reliably reminded of the necessity to input apersonal identification code when the user holds the mobile terminalabove the external apparatus such as the reader/writer to use theapplication. Application use in every aspect of the user's everyday lifeis thus facilitated.

[0057] According to a third aspect of the present invention, acommunication method using a mobile terminal apparatus having asemiconductor integrated circuit device which has a memory region andwhich communicates with an external apparatus is provided,

[0058] the mobile terminal apparatus including a wireless interface forenabling the semiconductor integrated circuit device to perform wirelesscommunication with the external apparatus and a wired interface forperforming wired communication with the semiconductor integrated circuitdevice in the mobile terminal apparatus,

[0059] one or more applications being allocated to the memory region,wherein the right to access each application is controlled by a personalidentification code, the communication method including:

[0060] a user input step of inputting, from a user, the personalidentification code;

[0061] a sending step of sending the personal identification code inputin the user input step via the wired interface to the semiconductorintegrated circuit device;

[0062] a checking step of checking the personal identification codeinput in the user input step against a personal identification code foreach application allocated to the memory region; and

[0063] an access-right control step of giving, as a result of checkingin the checking step, a right to the user to access the application inwhich the personal identification codes match each other.

[0064] The semiconductor integrated circuit device placed on the mobileterminal apparatus according to the third aspect of the presentinvention is formed of, for example, an IC chip. The IC chip includes awireless interface for establishing a wireless link with an externalapparatus such as a reader/writer and a wired interface for establishingan internal connection with a controller of the mobile terminalapparatus having the IC chip. In response to establishment of a wirelesslink with the reader/writer, the IC chip is activated by electromagneticwaves sent from the reader/writer.

[0065] The semiconductor integrated circuit device placed on the mobileterminal apparatus according to the third aspect of the presentinvention has the memory region of relatively high capacity. One or moreapplications are allocated to the memory region. The right to accesseach application is controlled by the personal identification code suchas a personal identification number or password. The term applicationhere includes value information, such as electronic money or anelectronic ticket.

[0066] When a wireless link with the external apparatus such as thereader/writer is established, a personal identification code input usingthe reader/writer may be input to the IC chip via the wirelessinterface. A personal identification code input from a user input unitsuch as a keyboard of the mobile terminal apparatus may be input to theIC chip via the wired interface. The personal identification code inputvia the wireless interface or the wired interface is checked against thecorrect personal identification code, and the right to access thecorresponding application is given if the personal identification codesmatch each other.

[0067] According to the third aspect of the present invention, apersonal identification code for a desired application is input usingthe mobile terminal apparatus. The mobile terminal is held towards theexternal apparatus such as the reader/writer, and hence the applicationcan be used using the external apparatus (such as conducting anelectronic transaction). Accordingly, the user can input a personalidentification code using the user's mobile terminal the user isfamiliar with, instead of using a user interface of the externalapparatus the user is unfamiliar with, and the input personalidentification code is thus checked.

[0068] In the access-right control step, the external apparatus may bepermitted to access the application for which the access right is givenvia the wireless interface using wireless communication.

[0069] In the access-right control step, in response to detecting noelectromagnetic waves from the external apparatus connected via thewireless interface, it may be determined that a series of transactionsrelated to the application for which the access right is given hasterminated, and transaction termination processing may be performed. Asa result, after being used, the semiconductor integrated circuit deviceis not maintained in a state in which each application is accessible.For example, when the mobile terminal apparatus is lost or stolen,unauthorized use of the application is prevented. The user is thusprevented from suffering from unauthorized use or theft of valueinformation such as electronic money.

[0070] In the access-right control step, in response to receiving noresponse within a predetermined period of time in response to a commandsent from the IC chip via the wireless interface, it may be determinedthat a series of transactions between the external apparatus and the ICchip, which are connected with each other via the wireless interface,has terminated normally or abnormally, and termination processing may beperformed. As a result, after the wireless link with the externalapparatus is broken, the IC chip is not maintained in a state in whicheach application is accessible. For example, when the mobile terminalapparatus is lost or stolen, unauthorized use of the application isprevented. The user is thus prevented from suffering from unauthorizeduse or theft of value information such as electronic money.

[0071] The communication method using the mobile terminal apparatusaccording to the third aspect of the present invention may furtherinclude a personal identification code registering step of registeringin advance the personal identification code for each application; aprogram activating step; and a personal identification code input stepof inputting the personal identification code for the correspondingapplication in accordance with the activated program to thesemiconductor integrated circuit device via the wired interface. In sucha case, the user selects a desired program from a menu screen displayedon the display, and the corresponding program is called to the mobileterminal. In response to the activated program, a personalidentification code for the corresponding application is input to thesemiconductor integrated circuit device via the wired interface, and theright to access the application is thus given. In such a case, the usercan omit the inputting of a personal identification code for a desiredapplication, and operability is improved.

[0072] The communication method using the mobile terminal apparatus mayfurther include a notification step of notifying, in response to thefact that the semiconductor integrated circuit device is connected tothe external apparatus via the wireless interface and thus receivespower, of the necessity to input the personal identification code foraccessing the memory region via the wired interface. In response to thenotification, the mobile terminal apparatus having the IC chip displaysa dialog on a display or emits a beep to prompt the user. Accordingly,the user is reliably reminded of the necessity to input a personalidentification code when the user holds the mobile terminal above theexternal apparatus such as the reader/writer to use the application.Application use in every aspect of the user's everyday life is thusfacilitated.

[0073] Further objects, features, and advantages of the presentinvention will become apparent from a more-detailed description of thepreferred embodiments of the present invention with reference to theattached drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0074]FIG. 1 is a diagram schematically showing the hardwareconfiguration of a mobile terminal 10 according to an embodiment of thepresent invention.

[0075]FIG. 2 is a conceptual diagram showing the mechanism of wirelesscommunication between a reader/writer and an IC chip 50 based onelectromagnetic induction.

[0076]FIG. 3 is a model diagram of a system formed of the reader/writer101 and the IC chip 50, the system serving as a transformer.

[0077]FIG. 4 is a block diagram showing the internal functionalconfiguration of the IC chip 50 embedded in the mobile terminal 10according to a first embodiment of the present invention.

[0078]FIG. 5 is a diagram schematically showing an example of theconfiguration of a memory space in a memory 52 shown in FIG. 4.

[0079]FIG. 6 is a diagram schematically showing the data structure of apersonal identification code defining region.

[0080]FIG. 7 is a flowchart showing a process of controlling the rightto access a directory or application in accordance with a personalidentification code input from a user.

[0081]FIG. 8 is a flowchart showing a process of controlling the rightto access a directory or application using a private key instead of thepersonal identification code input from the user.

[0082]FIG. 9 is a flowchart showing a process of controlling the rightto access an application or directory on the basis of the number offailures of input of the personal identification code.

[0083]FIG. 10 is a diagram schematically showing the mechanism forautomatically causing an access-permitted memory region to beinaccessible by cutting off the power supply.

[0084]FIG. 11 is a diagram showing the internal functional configurationof an IC chip 50 embedded in a mobile terminal 10 according to a secondembodiment of the present invention.

[0085]FIG. 12 is a flowchart showing a process of permitting access toan application allocated to a memory 52 by checking a personalidentification code input from a user input unit 11 of the mobileterminal 10.

[0086]FIG. 13 is a flowchart showing a process of controlling the rightto access an application on the basis of the result of detectingelectromagnetic waves sent from an external apparatus 50.

[0087]FIG. 14 is a flowchart showing a process of controlling the rightto access an application on the basis of a response from an externalapparatus 100 in response to a command sent from the IC chip 50.

[0088]FIG. 15 is a flowchart showing a process of prompting the user toinput a personal identification code to the mobile terminal in responseto establishment of a wireless link between the IC chip 50 and theexternal apparatus 100 via an RF unit 51.

[0089]FIG. 16 is a diagram schematically showing the hardwareconfiguration of a mobile terminal 10-2 according to a third embodimentof the present invention.

[0090]FIG. 17 is a flowchart showing a process of omitting input of apersonal identification code by activating a program.

BEST MODE FOR CARRYING OUT THE INVENTION

[0091] With reference to the drawings, embodiments of the presentinvention will now be described in detail.

[0092] A. System Configuration

[0093]FIG. 1 schematically shows the hardware configuration of a mobileterminal 10 according to an embodiment of the present invention. Themobile terminal 10 is an information processing terminal, such as acellular phone or a PDA (Personal Digital Assistant), which is small andlight enough to be carried by a user.

[0094] The mobile terminal 10 shown in the diagram includes an IC chip50 which is driven by receiving power using wireless communication withan external apparatus and which has a memory function, a controller 11for controlling the overall internal operation of the mobile terminal10, a user input unit 12 formed of keys/buttons for inputting by theuser various character strings and commands, such as a personalidentification number or password, and a display unit 13, such as an LCD(liquid Crystal Display), for displaying the processing result. Needlessto say, the mobile terminal 10 may include peripheral units and circuitcomponents other than those shown in the diagram in order to implementthe primary function of the mobile terminal 10.

[0095] A cartridge which has an IC chip with an antenna and which isformed in the size of a credit card is generally referred to as an “ICcard”.

[0096] The mobile terminal 10 can be equipped with the IC chip 50 in avariety of different ways. For example, a semiconductor IC chip inconjunction with a wireless antenna may be embedded in the mobileterminal 10. Alternatively, a card-shaped IC chip, that is, an IC card,may be used by being inserted into a card slot arranged in the mobileterminal 10. Applications for the IC chip or IC card include functionsrelated to value information, such as prepaid electronic money or anelectronic ticket. In the following description, the functions providedby the IC chip or IC card may also be referred to “applications”.

[0097] The controller 11 is formed by integrating a CPU (CentralProcessing Unit), a ROM (Read Only Memory), a RAM (Random AccessMemory), and the like. The controller 11 executes program code stored onthe ROM to control various operations in the mobile terminal 10.

[0098] The IC chip 50 includes a wireless interface 14 for establishinga wireless link with an external apparatus 100 and a wired interface 15for establishing a wired connection with the controller 11 of the mobileterminal 10. The wireless interface 14 uses, for example, a contactinterface standard defined by ISO 7816 or a wireless interface standarddefined by ISO 14443. The scheme for establishing a link or connectionbetween the IC chip 50 and the external apparatus 100 will be describedlater.

[0099] The IC chip 50 is manufactured by adopting, for example, acontactless IC chip technology. The IC chip 50 is driven byelectromagnetic waves received from the external apparatus 100 via thewireless interface 14. In other words, when the user is not holding themobile terminal 10 above the external apparatus 100, electromagneticwaves from the external apparatus 100 do not reach the mobile terminal10, and the operation of the IC chip 50 is deactivated. In thisembodiment, the right to access the interior of the IC chip 50disappears in response to cutting off the electromagnetic waves (thiswill be described later).

[0100] The IC chip 50 according to this embodiment has a memory region.Such a memory region is made possible by miniaturization technology. Thememory region is formed of a semiconductor memory, a magnetic stripe, orother readable/writable storage media. One or more applications areallocated to the memory region. One example of application is valueinformation, such as electronic money or an electronic ticket.

[0101] In this embodiment, a memory space in the IC chip 50 has ahierarchical structure. Each application is allocated a directory. Thisenables applications to be efficiently managed in directory units. Thiswill be described in detail later.

[0102] In order to protect value information stored in the memory spacein the IC chip 50 from being used without permission or stolen, apersonal identification code such as a personal identification number orpassword is set for each application. As a result, the right to accessthe memory region is controlled in application units. For example, apersonal identification code input via the wireless interface 14 or thewired interface 15 is checked against a personal identification code foreach application, and the right to access each application is given whenthe compared personal identification codes match each other (describedlater).

[0103] In this embodiment, apart from the above features in that thememory space has a hierarchical structure, that each application isallocated a directory, and that a personal identification code is setfor each application, a personal identification code may also be set foreach directory. The right to access is controlled not only inapplication units but also in directory units efficiently. The accessright control will be described in detail later.

[0104] The external apparatus 100 is an apparatus using an applicationallocated to the memory region on the IC chip 50. The external apparatus100 includes a reader/writer 101 for establishing a wireless link withthe IC chip 50 using, for example, a contactless IC chip technology.Needless to say, the external apparatus 100 is equipped with othercircuit components and peripheral devices for performing arithmeticprocessing for specific operations, and a display unit and an input unitfor performing interactive input with the user (all of which are notshown).

[0105] The external apparatus 100 corresponds to, for example, anapparatus such as an ATM (Automatic Teller Machine) terminal in a bankfor using electronic money; an apparatus for processing electronic valueinformation, such as that installed at the entrance of a concert hall orthe gate of a station or airport for using electronic tickets; and anapparatus such as a safety box at an accommodation facility forperforming user identification or authentication.

[0106] According to the system configuration such as that shown in FIG.1, the user inputs a personal identification code from the user inputunit 12 of the mobile terminal 10 and disengages the lock. In somecases, the user confirms the numerals which are input by the user andwhich are displayed on the display unit 13 and sends the input personalidentification code to the IC chip 50 embedded in the mobile terminal 10via the wired interface 15. In the IC chip 50, the personalidentification code input from the user is checked against a personalidentification code set for each application or directory on the memoryregion. If the personal identification codes match each other, the useris given the right to access the memory region allocated to thecorresponding application or directory. Alternatively, after a wirelesslink is established between the IC chip 50 in the mobile terminal 10 andthe external apparatus 100, the right to access each application iscontrolled on the basis of a personal identification code input usingthe external apparatus 100.

[0107] Wireless communication between the reader/writer 101 and the ICchip 50 is implemented on the basis of, for example, the principle ofelectromagnetic induction. FIG. 2 conceptually depicts the mechanism ofwireless communication between the reader/writer 101 and the IC chip 50based on electromagnetic induction. The reader/writer 101 includes anantenna L_(RW) formed of a loop coil. Allowing electric current I_(RW)to flow through the antenna L_(RW) generates a magnetic field around theantenna L_(RW). In contrast, at the IC chip 50 side, a loop coil L_(C)is provided around the IC chip 50 in an electrical sense. At the ends ofthe loop coil L_(C) of the IC chip 50, voltage is induced by themagnetic field generated by the loop antenna L_(C) of the reader/writer101, and the induced voltage is input to a terminal of the IC chip 50connected to the ends of the loop coil L_(C).

[0108] The degree of coupling between the antenna L_(RW) of thereader/writer 101 and the loop coil L_(C) of the IC chip 50 changesdepending on the positional relationship thereof. It can be regardedthat, as a system, a single transformer is provided. This can bedepicted in the model diagram shown in FIG. 3.

[0109] The reader/writer 101 modulates the current I_(RW) flowingthrough the antenna L_(RW) to modulate a voltage V₀ induced in the loopcoil L_(C) of the IC chip. Using this phenomenon, the reader/writer 101sends data to the IC chip 50. The data sent in this case includes apersonal identification code, such as a personal identification numberor password input from the user at the external apparatus 100 side, forobtaining the right to access each application or directory, and valueinformation e.g., electronic money or an electronic ticket, provided byeach application.

[0110] The IC chip 50 has a load switching function for changing a loadbetween terminals of the loop coil L_(C) in accordance with data to besent to the reader/writer 101. When the load between the terminals ofthe loop coil L_(C) changes, the impedance between the antenna terminalsof the reader/writer 101 changes. This results in a fluctuation inpassing current I_(RW) or voltage V_(RW) of the antenna L_(RW).Demodulation of the fluctuation enables the reader/writer 101 to receivethe data sent from the IC chip 50. The data received by the externalapparatus 100 from the IC chip 50 includes value information, such aselectronic money or an electronic ticket, provided by each application.

[0111] B. First Embodiment

[0112] In a first embodiment of the present invention, a storage regionin the IC chip 50 embedded in the mobile terminal 10 has a hierarchicalstructure using directories. Each application allocated to the memoryregion is registered in a directory at a desired hierarchical level. Forexample, highly-correlated applications, such as applications for use ina series of transactions, are registered in the same directory (andhighly-correlated sub-directories are registered in the same directory).Accordingly, the application and directory arrangement in the memoryregion is well organized, and the user can efficiently classify andorganize the applications.

[0113] Hierarchical control over the access right is implemented bysetting a personal identification code for each application, and, inaddition to this, by setting a personal identification code for eachdirectory. For example, the user inputs a personal identification codecorresponding to a directory. The input personal identification code ischecked and authenticated, and the user is thus given the right toaccess all applications (and sub-directories) in the directory. Forexample, the user obtains the right to access all applications used in aseries of transactions by inputting a personal identification code forthe corresponding directory once. Access control is thus efficientlyperformed, and the operability of the apparatus is thus improved.

[0114]FIG. 4 illustrates the internal functional configuration of the ICchip 50 embedded in the mobile terminal 10 according to this embodiment.

[0115] As shown in the diagram, the IC chip 50 includes an RF unit 51having connected thereto an antenna for establishing a wireless linkwith the reader/writer 101 of the external apparatus 100, a memory 52having a storage region individually allocated to each application, suchas purchased-ticket information or depositor information (electronicmoney) at a bank, a checker 53 for comparing and checking a personalidentification code, a wired interface 54, and a controller 55 forcontrolling the components in a general manner.

[0116] The controller 55 is formed by integrating a CPU (CentralProcessing Unit), a ROM (Read Only Memory), a RAM (Random AccessMemory), and the like. The controller 55 executes program code stored onthe ROM to control the internal operation of the IC chip 50. Also, thecontroller 55 communicates with the controller 11 of the mobile terminal10 via the wired interface 54.

[0117] The memory 52 is used to allocate a storage region to one or moreapplications. The memory 52 can be implemented as any type ofreadable/writable storage medium, such as a semiconductor memory or amagnetic stripe, and is not limited to a particular device.

[0118] In this embodiment, a storage space of the memory 52 has ahierarchical structure using directories. Specifically, each applicationallocated to the memory region can be registered in a directory at adesired hierarchical level. For example, highly-correlated applications,such as applications for use in a series of transactions, are registeredin the same directory (and highly-correlated sub-directories areregistered in the same directory).

[0119] Applications and directories allocated in the memory 52 each havea persona identification code defining region. A personal identificationcode can be set for each application or directory. The right to accessthe memory 52 is controlled in application units and in directory units.The hierarchical structure, the hierarchical control over the accessright, and the personal identification code defining region in thememory 52 will be described in detail later.

[0120] The checker 53 checks a personal identification code sent via thewired interface 54 against a personal identification code set in thememory region allocated to each application or directory and permitsaccess to the memory region if the personal identification codes matcheach other. Information can be read from and written to theaccess-permitted memory region by the reader/writer 101 via the RF unit51.

[0121] The personal identification code sent via the wired interface 54is, in short, the personal identification code input from the user usingthe mobile terminal 10. In other words, according to this embodiment,the user can input a personal identification code using the user'smobile terminal 10 the user is familiar with, instead of using a userinterface of the external apparatus 100 the user is unfamiliar with, andthe input personal identification code is thus checked.

[0122]FIG. 5 schematically shows an example of the configuration of thememory space in the memory 52 shown in FIG. 4. In the example shown inthe diagram, directory 1 corresponding to a root directory includesapplication 1A and application 1B, and directory 2 that corresponds to asub-directory.

[0123] Under directory 2, application 2A, and directory 3-1 anddirectory 3-2 corresponding to sub-directories are included.

[0124] Under directory 3-1, application 3-1A and application 3-1B areincluded. Under directory 3-2, application 3-2A, application 3-2B, andapplication 3-2C are included.

[0125] As shown in FIG. 5, each application and directory allocated onthe memory 52 is provided with a personal identification code definingregion. FIG. 6 schematically shows the data structure of the personalidentification code defining region. As shown in the diagram, thepersonal identification code defining region has a personalidentification number region, a region for storing the number of inputfailures, a region for setting the maximum permissible number of inputfailures, a region for selecting whether to use a personalidentification code, and an access permission flag.

[0126] When the user wants to access an application or directory, theuser is prompted by the IC chip 50 to input a personal identificationcode. For example, a beep is emitted by the mobile terminal 10 or adialog is displayed on the display unit 13 to prompt the user to input apersonal identification code.

[0127] Only when the personal identification code input from the usermatches the correct personal identification code, the access permissionflag is put up in the personal identification code defining region inthe corresponding application or directory, and access thereto is thuspermitted.

[0128] The access permission flag indicates whether or not thecorresponding application or directory is accessible. The application ordirectory having set therein the access permission flag is accessible.In a default setting, the access permission flag in each application ordirectory for which a personal identification code is set isinaccessible. After personal identification code checking orauthentication using a private key succeeded, the access permission flagis set to allow the application or directory to become accessible. Ifthe access permission flag is continuously set, the user may suffer fromdamage in case of loss or theft of the IC chip 50 or the mobile terminal10 since the applications and directories may be used without permissionor used fraudulently. The IC chip 50 according to this embodiment has amechanism for automatically changing the accessible state to theinaccessible state, which will be described in detail later.

[0129] The record in the region for storing the number of input failuresis updated every time an incorrect personal identification code isinput. When the number of input failures reaches the maximum permissiblenumber of input failures set in the region for setting the maximumpermissible number of input failures, access to the correspondingapplication or directory is denied.

[0130] In general, the number of input failures should be cleared oncethe user succeeds in inputting the correct personal identification code.This scheme prevents a malicious user from checking every possiblepersonal identification code to detect the correct personalidentification code. When the user inputs incorrect personalidentification codes and the number of input failures reaches themaximum permissible number of input failures, input of the personalidentification code fails. In this case, only a manager managing the ICchip 50 may clear the region for storing the number of input failures.The manager may be authenticated by, for example, a private key, whichwill be described later.

[0131] When a personal identification code for a directory is input andaccess to the directory is thus permitted, access to all applicationsand directories below the directory may be permitted. For example, as indirectory 2 shown in FIG. 5, a personal identification code for thedirectory itself and a personal identification code for asub-directory(s) are individually arranged, thereby setting the personalidentification code for controlling the right to access onlyapplications belonging to directory 2 and the personal identificationcode for controlling the right to access only sub-directories 3-1 and3-2 below directory 2.

[0132] The region for setting whether to use a personal identificationcode, which is in each personal identification code defining region, isused to select whether to set a personal identification code for thetarget region. Specifically, when a personal identification code is set,access to the corresponding application or directory is permitted ifauthentication by the personal identification code is successful. Incontrast, an application or directory for which no personalidentification code is set does not require personal identification codechecking, and access to that application or directory is thusunrestricted.

[0133] In addition to a personal identification code, a private key maybe set for each application or directory. In addition to authenticationusing input of a personal identification code, the private key may alsobe used as authentication means.

[0134]FIG. 7 is a flowchart showing a process of controlling the rightto access a directory or application in accordance with a personalidentification code input from the user.

[0135] When the user inputs a personal identification code (step S1),the checker 53 accesses the personal identification code defining regionof an application or directory in the memory space to determine whetheror not the input personal identification code matches a personalidentification code set for the application or directory (step S2).

[0136] When the personal identification code set for the application ordirectory matches the personal identification code input from the user,the access permission flag in the personal identification code definingregion in the application or directory is set to make the application ordirectory accessible (step S3).

[0137] For example, the personal identification code input from the userusing the user input unit 12 of the mobile terminal 10 may be sent viathe wired interface 54 to the IC chip 50. Alternatively, the IC chip 50is held above the reader/writer 101 of the external apparatus 100, and apersonal identification code input using the user interface of theexternal apparatus 100 is sent via a wireless interface, which is the RFunit 51, to the IC chip.

[0138]FIG. 8 is a flowchart showing a process of controlling the rightto access a directory or application using a private key in place of apersonal identification code input from the user.

[0139] Using a private key set for a desired directory or application,authentication processing is performed with a predetermined certifyingauthority (step S11).

[0140] When authentication succeeded (step S12), the access permissionflag in the personal identification code defining region of thedirectory or application is set to enable the directory or applicationto be accessible (step S13).

[0141] Needless to say, the right to access an application or directorymay be controlled by a combination of checking a personal identificationcode input from the user, such as that shown in FIG. 7, andauthentication processing using a private key, such as that shown inFIG. 8. In such a case, an application or directory is protected frombeing used without permission or being used fraudulently at a highersecurity level.

[0142] When the right to access an application or directory iscontrolled using a personal identification code such as that shown inFIG. 7, a malicious user may check every possible personalidentification code to destroy the security (especially when a personalidentification code having a small number of digits is used). In thisembodiment, the maximum permissible number of inputs is set in thepersonal identification code defining region. An application ordirectory in which the number of input failures reaches the maximumpermissible number of inputs is set to be inaccessible, thus performingaccess control.

[0143]FIG. 9 is a flowchart showing a process of controlling the rightto access an application or directory using the number of failures ofinput of the personal identification code.

[0144] When the user inputs a personal identification code (step S21),the checker 53 accesses the personal identification code defining regionof an application or directory in the memory space and determineswhether or not the input personal identification code matches a personalidentification code for the application or directory (step S22).

[0145] When the personal identification code for the application ordirectory matches the personal identification code input from the user,the access permission flag in the personal identification code definingregion is set to enable the corresponding application or directory to beaccessible (step S23).

[0146] In contrast, when the personal identification code for theapplication or directory does not match the personal identification codeinput from the user, the number of input failures in the personalidentification code defining region is updated (step S24).

[0147] In step S25, it is determined whether or not the updated numberof input failures has reached the maximum permissible number of inputsset in the personal identification code defining region (step S25).

[0148] If the number of input failures has reached the maximumpermissible number of inputs, the setting of the access permission flagin the personal identification code defining region is cleared to makethe corresponding application or directory accessible (step S26).

[0149] As a result, the act of checking every possible personalidentification code by a malicious user is prevented.

[0150] When the user inputs incorrect personal identification codes andthe number of input failures reaches the maximum permissible number ofinput failures, input of the personal identification code fails. In thiscase, only a manager managing the IC chip 50 may clear the region forstoring the number of input failures. The manager may be authenticatedusing, for example, a private key.

[0151] For example, if a known ATM card is lost, funds in the accountare protected when the card owner reports the loss to a bank handlingthe account to suspend any transaction using the bank account since thefunds themselves are not stored in the card. In contrast, in a case ofan IC chip having a memory region, highly-negotiable value information,such as electronic money or an electronic ticket, is stored in asemiconductor memory in the IC chip. When the lost IC chip is found by amalicious person, it is very likely that the IC chip is fraudulentlyused to cause economical damage.

[0152] In this embodiment, in response to turning off the power of theIC chip 50 (or the mobile terminal 10 having the IC chip 50 embeddedtherein), the access permission flags in all personal identificationcode defining regions are cleared to automatically deny access to allapplications and directories. If the IC chip 50 is lost, this schemeprevents the IC chip 50 from being maintained as accessible and frombeing used fraudulently by a malicious user.

[0153]FIG. 10 schematically shows the mechanism for automaticallysetting the accessible memory region to be inaccessible by cutting offpower. The mechanism shown in the diagram is implementable using astorage medium such as a semiconductor memory in which the contents ofthe memory region are maintained by receiving power supply (volatiletype).

[0154] Access permission flags 201-1 to 201-n are provided, as shown inFIG. 6, in the personal identification code defining regions forapplications and directories to which the memory region is allocated. Ineach of the access permission flags 202-1 to 201-n, contact A andcontact B are arranged. The ends of contact A can be connected to theends of contact B via switches SW1 and SW2 arranged in parallel. Openingboth contact A and contact B sets the corresponding application ordirectory to be accessible, whereas shorting contact A and contact Bsets the corresponding application or directory to be inaccessible.

[0155] Access-permission-flag controllers 202-1 to 202-n are provided inthe IC chip 50, and the number of access-permission-flag controllers202-1 to 202-n is equal to the number of access permission flags (thatis, equal to the total number of applications and directories allocatedto the memory region).

[0156] When the IC chip 50 is turned on, switch SW1 shown in the diagramis open.

[0157] In normal operation, in order to permit access to thecorresponding application or directory in response to input of apersonal identification code, the access-permission-flag controller 202opens switch SW2 in the corresponding access permission flag 201. As aresult, both contact A and contact B are open, and the access permissionflag 201 is set to the accessible state.

[0158] In order to deny access, switch SW2 is shorted. Regardless of thestate of the other switch, that is, SW1, contact A and contact B areshorted, thus setting the access permission flag to the inaccessiblestate.

[0159] If the IC chip 50 (or the mobile terminal 10 having the IC chip50 embedded therein) is turned off in the accessible state in whichswitch SW is open, the power supply voltage is reduced from the initialvoltage V_(CC) to 0 [V], and a threshold voltage V_(th) therebetween isdetected by a voltage detector 203. In response to detection of thethreshold voltage V_(th), the power supply voltage detector 203 shortsall switches SW1 in the access permission flags 201-1 to 201-n.Regardless of the state of the other switches SW2, contacts A andcontacts B in the access permission flags 201-1 to 201-n are shorted.Accordingly, all access permission flags are changed to the inaccessiblestate at the same time.

[0160] C. Second Embodiment

[0161]FIG. 11 illustrates the internal functional configuration of an ICchip 50 embedded in a mobile terminal 10 according to a secondembodiment of the present invention.

[0162] As shown in the diagram, the IC chip 50 includes an RF unit 51having connected thereto an antenna for establishing a wireless linkwith a reader/writer 101 of an external apparatus 100, a memory 52having a storage region individually allocated to each application, suchas purchased-ticket information or depositor information (electronicmoney) at a bank, a checker 53 for comparing and checking a personalidentification code, a wired interface 54, and a controller 55 forcontrolling the components in a general manner.

[0163] The controller 55 is formed by integrating a CPU (CentralProcessing Unit), a ROM (Read Only Memory), a RAM (Random AccessMemory), and the like. The controller 55 executes program code stored onthe ROM to control the internal operation of the IC chip 50. Also, thecontroller 55 communicates with a controller 11 of the mobile terminal10 via the wired interface 54.

[0164] In the memory 52, each application is allocated a region. In theexample shown in the diagram, application A, application B, andapplication C are allocated individual regions on the memory 52. Ifnecessary, a personal identification code for identification orauthentication is set for each application. The region allocated to eachapplication includes a personal identification code region for storing apersonal identification code.

[0165] The memory 52 can be implemented as any type of readable/writablestorage medium, such as a semiconductor memory or a magnetic stripe, andis not limited to a particular device.

[0166] In this embodiment, the checker 53 checks a personalidentification code sent via the wired interface 54 against a personalidentification code set in the memory region allocated to eachapplication. If the personal identification codes match each other,access to the corresponding memory region is permitted. Information canbe read from or written to the access-permitted memory region by thereader/writer 101 via the RF unit 51.

[0167] The personal identification code sent via the wired interface 54is, in short, the personal identification code input from the user usingthe mobile terminal 10. In other words, according to this embodiment,the user can input a personal identification code using the user'smobile terminal 10 the user is familiar with, instead of using a userinterface of the external apparatus 100 the user is unfamiliar with, andthe input personal identification code is thus checked.

[0168]FIG. 12 is a flowchart showing a process of permitting access toan application allocated to the memory 52 by checking a personalidentification code input from a user input unit 11 of the mobileterminal 10. With reference to the flowchart of FIG. 12, the process ofpermitting access to the application will now be described.

[0169] The user uses the user input unit 11 of the mobile terminal 10 toinput a personal identification code (step S101).

[0170] The personal identification code input in this manner istransferred to the checker 53 in the IC chip 50 via the wired interface52 (step S102).

[0171] The checker 53 checks the personal identification code input viathe user input unit 12 against a personal identification code set foreach application allocated to the memory 52 (step S103).

[0172] As a result of checking, the user is given a right to access theapplication in which the personal identification codes match each other(step S104). A storage region allocated to the access-permittedapplication becomes accessible by the reader/writer 101 using wirelesscommunication.

[0173] Needless to say, the checker 53 not only checks a personalidentification code received via the wired interface 54 (that is, inputfrom the user using the mobile terminal 10), but also checks a personalidentification code received via the RF unit 51 (that is, input from theuser using the external apparatus 100).

[0174] When a series of transactions with the reader/writer 101 iscompleted after access has been permitted, the controller 55 analyzesthe completion and sends the analysis result via the wired interface 54.

[0175] Alternatively, after normal or abnormal termination of thetransactions, the controller 55 waits for a command from the wiredinterface 54 or waits for the mobile terminal 10 itself to be turned off(that is, waits for electromagnetic waves from the reader/writer 50 tobe stopped to cause the IC chip 50 to be deactivated). In this case,after a predetermined period of time elapses, the controller 11 of themobile terminal 10 having the IC chip 50 embedded therein performstermination processing such as sending the next command to the IC chip50 or turning off the IC chip 50.

[0176]FIG. 13 is a flowchart showing a process of controlling the rightto access an application on the basis of a result of detectingelectromagnetic waves sent from the external apparatus 50. In accordancewith the flowchart, control over the right to access the applicationwill now be described.

[0177] In a period during which the IC chip 50 is wirelessly connectedwith the external apparatus 100 via the RF unit 51, the controller 55determines at all times whether or not electromagnetic waves arereceived via the RF unit 51 (step S111).

[0178] In response to detecting no electromagnetic waves, it isdetermined that a series of transactions between the external apparatus100 and the IC chip 50, which are wirelessly connected with each othervia the RF unit 51, is terminated (step S112).

[0179] The controller 55 performs termination processing to terminatethe transactions with the external apparatus 100 (step S113). As aresult, the right given to the external apparatus 100 to access theapplication disappears.

[0180] As a result, after being used, the IC chip 50 is not maintainedin a state in which each application is accessible. For example, whenthe mobile terminal 10 is lost or stolen, unauthorized use of eachapplication is prevented. The user is thus prevented from suffering fromunauthorized use or theft of value information such as electronic money.

[0181]FIG. 14 is a flowchart showing a process of controlling the rightto access an application on the basis of a response from the externalapparatus 100 in response to a command sent from the IC chip 50. Inaccordance with the flowchart, control over the right to access theapplication will now be described.

[0182] When the controller 55 sends a command to the external apparatus100 via the RF unit 51 (step S121), the controller 55 determines whetheror not a response in response to the command has been given (step 1S22).

[0183] When no response is received within a predetermined period oftime after sending the command (step S123), it is determined that aseries of transactions between the IC chip 50 and the external apparatus100 has been terminated normally or abnormally (step S124), andtermination processing to terminate the transactions with the externalapparatus 100 is performed (step S125).

[0184] As a result, after the wireless link with the external apparatus100 is broken, the IC chip 50 is not maintained in a state in which theright to access each application is given. For example, when the mobileterminal is lost or stolen, unauthorized use of each application isprevented. The user is thus prevented from suffering from unauthorizeduse or theft of value information such as electronic money.

[0185] Prior to receiving a personal identification code via the wiredinterface 54, the IC chip 50 performs wireless communication with thereader/writer 55 via the RF unit 41 and sends/receives data to/from theexternal apparatus 100. Subsequently, when data is to be sent andreceived further, the controller 55 detects that authentication using apersonal identification code is necessary and sends the detection resultto the controller 11 of the mobile terminal 10 via the wired interface54.

[0186]FIG. 15 is a flowchart showing a process of prompting the user toinput a personal identification code to the mobile terminal in responseto establishment of a wireless link between the IC chip 50 and theexternal apparatus 100 via the RF unit 51.

[0187] The controller 55 determines at all times whether or not the ICchip 50 is wirelessly connected with the external apparatus 100 via theRF unit 51 (step S131).

[0188] When the IC chip 50 is connected with the external apparatus 100via the RF unit 51 and power is supplied to the IC chip 50, thecontroller 55 notifies, via the wired interface 54, the controller 11 ofthe mobile terminal 10 of the necessity to input a personalidentification code for accessing the memory 52 (step S132).

[0189] In response to the notification, the mobile terminal 10 emits abeep or displays a dialog on the display unit 12 to prompt the user toinput a personal identification code for using a desired application(step S133).

[0190] Accordingly, the user is reliably reminded of the necessity toinput a personal identification code when the user holds the mobileterminal above the external apparatus to use an application. Applicationuse in every aspect of the user's everyday life is thus facilitated.

[0191] D. Third Embodiment

[0192]FIG. 16 schematically shows the hardware configuration of a mobileterminal 10-2 according to a third embodiment of the present invention.

[0193] The mobile terminal 10-2 shown in the diagram includes an IC chip50 which is driven by receiving power using wireless communication withan external apparatus and which has a memory function, a controller 11for controlling the overall internal operation of the mobile terminal10, a user input unit 12 formed of keys/buttons for inputting by theuser various character strings and commands, such as a personalidentification number or password, and a display unit 13, such as an LCD(liquid Crystal Display), for displaying the processing result. Needlessto say, the mobile terminal 10-2 may include peripheral units andcircuit components other than those shown in the diagram in order toimplement the primary function of the mobile terminal 10-2.

[0194] The IC chip 50 includes a wireless interface 14 for establishinga wireless link with an external apparatus 100 and a wired interface 15for establishing a wired connection with the controller 11 of the mobileterminal 10. The wireless interface 14 uses, for example, a contactinterface standard defined by ISO 7816 or a wireless interface standarddefined by ISO 14443 (the same as above).

[0195] The IC chip 50 is manufactured by adopting, for example, acontactless IC card technology. The IC chip 50 is driven byelectromagnetic waves received from the external apparatus 100 via thewireless interface. In other words, when the user is not holding themobile terminal 10 above the external apparatus 100, electromagneticwaves from the external apparatus 100 do not reach the mobile terminal10, and the operation of the IC chip 50 is deactivated. The right toaccess the interior of the IC chip 50 thus disappears.

[0196] The IC chip 50 has a relatively-high-capacity memory region. Sucha memory region is made possible by miniaturization technology. Thememory region is formed of a semiconductor memory, a magnetic stripe, orother readable/writable storage media. One or more applications areallocated on the memory region. An example of application includes valueinformation, such as electronic money or an electronic ticket.

[0197] In order to protect this type of value information from beingused without permission or stolen, the right to access each applicationis controlled using a personal identification code such as a personalidentification number or password in application units. For example, apersonal identification code input via the wireless interface 14 or thewired interface 15 is checked against a personal identification code foreach application, and the right to access each application is given whenthe personal identification codes match each other.

[0198] The mobile terminal 10-2 is formed by providing a personalidentification code storage region in the controller 11 in the mobileterminal shown in FIG. 1. A personal identification code correspondingto a program in the controller 11 is stored in advance in the personalidentification code storage region. This enables the personalidentification code corresponding to the called program to be sent tothe IC chip 50 via the wired interface. The user is thus not required tosequentially input personal identification codes in order to use thesame application stored in the IC chip 50, and the operability of theapparatus is improved.

[0199]FIG. 17 is a flowchart of a process of omitting the inputting of apersonal identification code by activating a program.

[0200] A personal identification code for each application is registeredin advance (step S141). The registered personal identification code isstored in a predetermined personal identification number storage regionin the controller 55.

[0201] When the user wants to use an application, the user selects adesired program from, for example, a menu list (not shown) displayed onthe display unit 13 (step S142).

[0202] As a result, the controller 11 activates the selected program(step S143).

[0203] The controller 11 reads a personal identification code for thecorresponding application in accordance with the activated program fromthe personal identification code storage region and sends the personalidentification code to the IC chip 50 via the wired interface 15 (stepS144).

[0204] As a result, in the IC chip, the personal identification codereceived via the wired interface 15 is checked against the personalidentification code set for each application allocated to the memoryregion (step S145).

[0205] As a result of checking, the user is given the right to accessthe application in which the personal identification codes match eachother (step S146). The storage region allocated to the application towhich the access right is given is accessible by the reader/writer 101using wireless communication.

[0206] In such a case, the user selects a desired program from a menuscreen displayed on the display, and the corresponding program is calledto the mobile terminal. In response to the activated program, a personalidentification code for the corresponding application is input to the ICchip via the wired interface, and the right to access the application isthus given. The user can omit the inputting of a personal identificationcode for a desired application, and the operability of the apparatus isimproved.

[0207] Appendix

[0208] With reference to the specific embodiments, the present inventionhas been described in detail. However, it is to be understood thatvarious modifications and substitutions can be made by those skilled inthe art without departing from the scope of the present invention.

[0209] In this specification, cases have been described in which the ICchip according to the present invention is used by being embedded in themobile terminal such as a cellular phone or PDA. However, the scope ofthe present invention is not limited to these cases. The merits of thepresent invention are similarly achieved by, for example, using the ICchip in a stand-alone manner or by embedding the IC chip in another typeof device and using the IC chip.

[0210] In short, the present invention has been disclosed by examplesfor illustration purposes, and the description should not be interpretedin a limited manner. The scope of the present invention is to bedetermined solely by the appended claims.

INDUSTRIAL APPLICABILITY

[0211] According to the present invention, there are provided animproved information storage medium which can be used be being placed inan information processing apparatus, such as a cellular phone or PDA(Personal Digital Assistant), an IC chip with a memory region, aninformation processing apparatus having the IC chip with the memoryregion, and a memory management method for the information storagemedium.

[0212] According to the present invention, there are provided animproved information storage medium which has a memory region and whichefficiently controls the right to access each application allocated tothe memory region, an IC chip with a memory region, an informationprocessing apparatus having the IC chip with the memory region, and amemory management method for the information storage medium.

[0213] According to the present invention, the memory region on the ICchip has a hierarchical structure. Each application allocated to thememory region is registered in a directory. The memory region isefficiently managed in directory units.

[0214] According to the present invention, a personal identificationcode is set for each application and directory. As the case may be, theaccess right is controlled in application units or in directory units.For example, for all applications included in a directory, anidentification or authentication scheme having the same usability as theexisting IC chip may be provided.

[0215] According to the present invention, when the IC chip or themobile terminal having the IC chip embedded therein is lost, the rightto access each application in the IC chip automatically disappears.Accordingly, the IC chip or the mobile terminal is protected againstfraudulent use by others.

[0216] Identification or authentication using the IC chip according tothe present invention may be performed in conjunction withauthentication using a private key. As a result, value information suchas electronic money can be handled with higher security.

[0217] According to the present invention, for example, when the IC chipembedded in the mobile terminal is used as a bank card, identificationor authentication processing is performed on the user by inputting, bythe user, a personal identification number using the mobile terminal theuser is familiar with. This results in minimization of the amount ofoperation that the user has to perform using a bank's ATM terminal theuser is unfamiliar with.

[0218] According to the present invention, holding the mobile terminaltowards, for example, an ATM terminal in a bank causes the ATM terminalto prompt the mobile terminal to input an appropriate personalidentification code.

[0219] According to the present invention, a program and a personalidentification code are associated with each other in the mobileterminal. Therefore, for example, when a bank's balance-of-accountdisplaying program is called, the personal identification number isautomatically called.

1. An integrated circuit device comprising: a memory region; memoryallocating means for allocating the memory region to each application;personal identification code setting means for setting, for eachapplication allocated to the memory region, a personal identificationcode for controlling the right to access each application; andaccessibility/inaccessibility managing means for managing eachapplication allocated to the memory region to beaccessible/inaccessible, wherein the accessibility/inaccessibilitymanaging means sets each application for which the personalidentification code is set to be inaccessible in a default setting, and,in response to the fact that the personal identification code input froma user matches the set personal identification code, theaccessibility/inaccessibility managing means sets the correspondingapplication to be accessible.
 2. An integrated circuit device accordingto claim 1, wherein the memory allocating means allocates the memoryregion to each application in a hierarchical manner using directories,the personal identification code setting means sets, for eachapplication and directory, the personal identification code forcontrolling the right to access each application and directory, and theaccessibility/inaccessibility managing means sets each application anddirectory for which the personal identification code is set to beinaccessible in the default setting, and, in response to the fact thatthe personal identification code input from the user matches the setpersonal identification code, the accessibility/inaccessibility managingmeans sets the corresponding application or directory to be accessible.3. An integrated circuit device according to claim 2, wherein, inresponse to the fact that the personal identification code input fromthe user matches the personal identification code set for one of thedirectories, the accessibility/inaccessibility managing means sets allapplications and sub-directories under the directory to be accessible.4. An integrated circuit device according to claim 1, further comprisingprivate key setting means for setting, for each application allocated tothe memory region, a private key for authentication, wherein theaccessibility/inaccessibility managing means sets the inaccessibleapplication to be accessible when the inaccessible application ismutually authenticated by a predetermined certificate authority usingthe private key.
 5. An integrated circuit device according to claim 2,further comprising private key setting means for setting, for eachapplication and directory allocated to the memory region, a private keyfor authentication, wherein the accessibility/inaccessibility managingmeans sets the inaccessible application or directory to be accessiblewhen the inaccessible application or directory is mutually authenticatedby a predetermined certificate authority using the private key.
 6. Anintegrated circuit device according to claim 1, further comprisingaccess denying means for causing each accessible application to beinaccessible in response to cutting off the power to the device.
 7. Anintegrated circuit device according to claim 2, further comprisingaccess denying means for causing each accessible application anddirectory to be inaccessible in response to cutting off the power to thedevice.
 8. An integrated circuit device according to claim 1, furthercomprising: number-of-input-failure storing means for storing the numberof failures of input of the personal identification code for eachapplication allocated to the memory region; andmaximum-permissible-number-of-input-failure setting means for settingthe maximum permissible number of failures of input of the personalidentification code for each application allocated to the memory region,wherein the accessibility/inaccessibility managing means sets theapplication in which the number of input failures has reached themaximum permissible number of inputs to be inaccessible.
 9. Anintegrated circuit device according to claim 2, further comprising:number-of-input-failure storing means for storing the number of failuresof input of the personal identification code for each-application anddirectory allocated to the memory region; andmaximum-permissible-number-of-input-failure setting means for settingthe maximum permissible number of failures of input of the personalidentification code for each application and directory allocated to thememory region, wherein the accessibility/inaccessibility managing meanssets the application or directory in which the number of input failureshas reached the maximum permissible number of inputs to be inaccessible.10. An integrated circuit device according to claim 8 or 9, furthercomprising number-of-input-failure initializing means for clearing thenumber of input failures stored in the number-of-input-failure storingmeans by a manager mutually authenticated by a predetermined certificateauthority.
 11. An information processing apparatus comprising anintegrated circuit device as set forth in claim
 1. 12. An informationprocessing apparatus according to claim 11, wherein the informationprocessing apparatus is an information storage medium.
 13. Aninformation processing apparatus according to claim 12, wherein theinformation storage medium is a storage medium in the form of an ICcard.
 14. A memory management method for an information storage device,comprising: a memory allocating step of allocating a memory region toeach application; a personal identification code setting step ofsetting, for each application allocated to the memory region, a personalidentification code for controlling the right to access eachapplication; and an accessibility/inaccessibility managing step ofmanaging each application allocated to the memory region to beaccessible/inaccessible, wherein, in the accessibility/inaccessibilitymanaging step, each application for which the personal identificationcode is set is set to be inaccessible in a default setting, and, inresponse to the fact that the personal identification code input from auser matches the set personal identification code, the correspondingapplication is set to be accessible.
 15. A memory management method foran information storage device according to claim 14, wherein, in thememory allocating step, the memory region is allocated to eachapplication in a hierarchical manner using directories, in the personalidentification code setting step, the personal identification code forcontrolling the right to access each application and directory is setfor each application and directory, and in theaccessibility/inaccessibility managing step, each application anddirectory for which the personal identification code is set is set to beinaccessible in the default setting, and, in response to the fact thatthe personal identification code input from the user matches the setpersonal identification code, the corresponding application or directoryis set to be accessible.
 16. A memory management method for aninformation storage device according to claim 15, wherein, in theaccessibility/inaccessibility managing step, in response to the factthat the personal identification code input from the user matches thepersonal identification code set for one of the directories, allapplications and sub-directories under the directory are set to beaccessible.
 17. A memory management method for an information storagedevice according to claim 14, further comprising a private key settingstep of setting, for each application allocated to the memory region, aprivate key for authentication, wherein, in theaccessibility/inaccessibility managing step, the inaccessibleapplication is set to be accessible when the inaccessible application ismutually authenticated by a predetermined certificate authority usingthe private key.
 18. A memory management method for an informationstorage device according to claim 15, further comprising a private keysetting step of setting, for each application and directory allocated tothe memory region, a private key for authentication, wherein, in theaccessibility/inaccessibility managing step, the inaccessibleapplication or directory is set to be accessible when the inaccessibleapplication or directory is mutually authenticated by a predeterminedcertificate authority using the private key.
 19. A memory managementmethod for an information storage device according to claim 14, furthercomprising an access denying step of causing each accessible applicationto be inaccessible in response to cutting off the power to theinformation storage device.
 20. A memory management method for aninformation storage device according to claim 15, further comprising anaccess denying step of causing each accessible application and directoryto be inaccessible in response to cutting off the power to theinformation storage device.
 21. A memory management method for aninformation storage device according to claim 14, further comprising: anumber-of-input-failure storing step of storing the number of failuresof input of the personal identification code for each applicationallocated to the memory region; and amaximum-permissible-number-of-input-failure setting step of setting themaximum permissible number of failures of input of the personalidentification code for each application allocated to the memory region,wherein, in the accessibility/inaccessibility managing step, theapplication in which the number of input failures has reached themaximum permissible number of inputs is set to be inaccessible.
 22. Amemory management method for an information storage device according toclaim 15, further comprising: a number-of-input-failure storing step ofstoring the number of failures of input of the personal identificationcode for each application and directory allocated to the memory region;and a maximum-permissible-number-of-input-failure setting step ofsetting the maximum permissible number of failures of input of thepersonal identification code for each application and directoryallocated to the memory region, wherein, in theaccessibility/inaccessibility managing step, the application ordirectory in which the number of input failures has reached the maximumpermissible number of inputs is set to be inaccessible.
 23. A memorymanagement method for an information storage device according to claim14 or 15, further comprising a number-of-input-failure initializing stepof clearing the number of input failures stored in thenumber-of-input-failure storing step by a manager mutually authenticatedby a predetermined certificate authority.
 24. A mobile terminalapparatus comprising: a semiconductor integrated circuit device having amemory region; one or more applications allocated to the memory region,wherein the right to access each application is controlled by a personalidentification code; a wireless interface for enabling the semiconductorintegrated circuit device to perform wireless communication with anexternal apparatus; a wired interface for performing wired communicationwith the semiconductor integrated circuit device; user input means forinputting, from a user, the personal identification code and other data;checking means for transferring the personal identification code inputfrom the user input means via the wired interface to the semiconductorintegrated circuit device and for checking the personal identificationcode with a personal identification code for each application allocatedto the memory region; and access-right control means for giving, as aresult of checking by the checking means, a right to the user to accessthe application in which the personal identification codes match eachother.
 25. A mobile terminal apparatus according to claim 24, whereinthe access-right control means permits the external apparatus to accessthe application for which the access right is given via the wirelessinterface using wireless communication.
 26. A mobile terminal apparatusaccording to claim 24, wherein, in response to detecting noelectromagnetic waves from the external apparatus connected via thewireless interface, the access-right control means determines that aseries of transactions related to the application for which the accessright is given has terminated and performs transaction terminationprocessing.
 27. A mobile terminal apparatus according to claim 24,wherein, in response to receiving no response within a predeterminedperiod of time in response to a command sent from the semiconductorintegrated circuit device via the wireless interface, the access-rightcontrol means determines that a series of transactions between theexternal apparatus and the semiconductor integrated circuit device,which are connected with each other via the wireless interface, hasterminated normally or abnormally and performs termination processing.28. A mobile terminal apparatus according to claim 24, furthercomprising: personal identification code registering means forregistering in advance the personal identification code for eachapplication; program activating means; and personal identification codeinput means for inputting the personal identification code for thecorresponding application in accordance with the activated program to anIC chip via the wired interface.
 29. A mobile terminal apparatusaccording to claim 24, wherein the semiconductor integrated circuitdevice is driven by receiving power using wireless communication withthe external apparatus.
 30. A mobile terminal apparatus according toclaim 29, wherein, in response to being connected to the externalapparatus via the wireless interface and thus receiving power, thesemiconductor integrated circuit device notifies via the wired interfaceof the necessity to input the personal identification code for accessingthe memory region.
 31. A semiconductor integrated circuit deviceembedded in a mobile terminal apparatus as set forth in claim
 24. 32. Asemiconductor integrated circuit device according to claim 31,comprising a memory region to which one or more applications areallocated, wherein the right to access each application is controlled bya personal identification code.
 33. A semiconductor integrated circuitdevice according to claim 31, comprising a wireless interface forperforming wireless communication and a wired interface for performingwired communication.
 34. A communication method using a mobile terminalapparatus having a semiconductor integrated circuit device which has amemory region and which communicates with an external apparatus, themobile terminal apparatus including a wireless interface for enablingthe semiconductor integrated circuit device to perform wirelesscommunication with the external apparatus and a wired interface forperforming wired communication with the semiconductor integrated circuitdevice in the mobile terminal apparatus, one or more applications beingallocated to the memory region, wherein the right to access eachapplication is controlled by a personal identification code, thecommunication method comprising: a user input step of inputting, from auser, the personal identification code; a sending step of sending thepersonal identification code input in the user input step via the wiredinterface to the semiconductor integrated circuit device; a checkingstep of checking the personal identification code input in the userinput step against a personal identification code for each applicationallocated to the memory region; and an access-right control step ofgiving, as a result of checking in the checking step, a right to theuser to access the application in which the personal identificationcodes match each other.
 35. A communication method using a mobileterminal apparatus according to claim 34, wherein, in the access-rightcontrol step, the external apparatus is permitted to access theapplication for which the access right is given via the wirelessinterface using wireless communication.
 36. A communication method usinga mobile terminal apparatus according to claim 34, wherein, in theaccess-right control step, in response to detecting no electromagneticwaves from the external apparatus connected via the interface, it isdetermined that a series of transactions related to the application forwhich the access right is given has terminated, and transactiontermination processing is performed.
 37. A communication method using amobile terminal apparatus according to claim 34, wherein, in theaccess-right control step, in response to receiving no response within apredetermined period of time in response to a command sent from thesemiconductor integrated circuit device via the wireless interface, itis determined that a series of transactions between the externalapparatus and the semiconductor integrated circuit device, which areconnected with each other via the wireless interface, has terminatednormally or abnormally, and termination processing is performed.
 38. Acommunication method using a mobile terminal apparatus according toclaim 34, further comprising: a personal identification code registeringstep of registering in advance the personal identification code for eachapplication; a program activating step; and a personal identificationcode input step of inputting the personal identification code for thecorresponding application in accordance with the activated program tothe semiconductor integrated circuit device via the wired interface. 39.A communication method using a mobile terminal apparatus according toclaim 34, further comprising a notification step of notifying, inresponse to the fact that the semiconductor integrated circuit device isconnected to the external apparatus via the wireless interface and thusreceives power, of the necessity to input the personal identificationcode for accessing the memory region on an IC chip via the wiredinterface.